CVE-2024-43768Out-of-bounds Write in External Skia

CWE-787Out-of-bounds WriteCWE-201Sensitive Info Insertion into Sent Data7 documents7 sources
Severity
7.8HIGHNVD
EPSS
0.2%
top 58.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform External SkiaGoogle Android
Timeline
PublishedJan 3
Latest updateAug 23

Description

In skia_alloc_func of SkDeflate.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

Androidplatform/external_skia12:012:2024-12-01+3
CVEListV5google/android5 versions+4
NVDgoogle/android5 versions+4

🔴Vulnerability Details

4
GHSA
Liferay Portal JSONWS API endpoint shares sensitive information2025-08-23
GHSA
GHSA-fvg9-4m3g-p4h7: In skia_alloc_func of SkDeflate2025-01-03
CVEList
CVE-2024-43768: In skia_alloc_func of SkDeflate2025-01-02
OSV
CVE-2024-43768: In skia_alloc_func of SkDeflate2024-12-01

📋Vendor Advisories

2
Android
CVE-2024-43768: Android Security Bulletin 2024-12-01 CVE: CVE-2024-43768 Severity: HIGH Type: EoP Affected AOSP versions: 12, 12L, 13, 14, 15 References: A-3496784522024-12-01
Debian
CVE-2024-43768: libskia - In skia_alloc_func of SkDeflate.cpp, there is a possible out of bounds write due...2024
CVE-2024-43768 — Out-of-bounds Write in External Skia | cvebase